Skip to Content
Release NotesInsightcloudsec22.10.19 Release Notes

Oct 18, 2022

InsightCloudSec is pleased to announce Release 22.10.19

InsightCloudSec Software Release Notice - 22.10.19 Release

Our latest Release 22.10.19 is available for hosted customers on Wednesday, October 19, 2022. Availability for self-hosted customers is Thursday, October 20, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

⚠️

Self-Hosted Customers

If you’re currently referencing Dockerhub for your ICS images (e.g., divvycloud/divvycloud:XX.Y.Z) or this public ECR location (public.ecr.aws/divvycloud/divvycloud), these repositories will be shutdown on November 2, 2022. The new locations for ICS images will be public.ecr.aws/rapid7-insightcloudsec/ics/core and public.ecr.aws/rapid7-insightcloudsec/ics/edh-worker.

Release Highlights (22.10.19)

InsightCloudSec is pleased to announce Release 22.10.19. This release includes updates to our Compliance Packs with a new version of the CIS Compliance Framework for Oracle Cloud (v 1.2.0) that adds eight new Insights and a brand new Compliance Pack based on 23 Insights for managing privilege escalation. We have created a powerful new Bot action that sets an LPA Remediation policy for a selected principal and updated Threat Findings to include some new/revised columns. 22.10.19 provides a total of 31 new Insights, six updated Insights, six new Query Filters, three updated Query Filters, one new Bot action, four bug fixes, and two updates for Access Explorer.

Features & Enhancements (22.10.19)

  • Threat Findings has received several updates to the UI/UX around the organization and naming of columns within the default view. The Resource Type is now a new individual column and the Resource Name has been paired with the Resource ID. We have added a new Direction column as well as a Cloud Account column that contains both the Cloud Account Name & Cloud Account ID. Refer to our full documentation on the Threat Findings feature for additional details. [ENG-19774, ENG-19775, ENG-19779]

  • We have updated our modeling of GCP AI Platform Notebooks and added new data properties for the environment/environment version. [ENG-20328]

  • We have updated our resource dependency mapping for Instances, Autoscaling Launch Configurations, and Launch Templates to link to their associated private image. Of note, the image will not show as a dependency if it has been deregistered. [ENG-20486]

Resources (22.10.19)

AWS

  • We have added support for harvesting three AppStream Fleet events via Event-Driven Harvesting (EDH): CreateFleet, UpdateFleet, and DeleteFleet. Three new Query Filters support these additions: App Stream Fleet With Default Internet Access, App Stream Fleet Types, and App Stream Fleet Platforms. [ENG-19702]

AZURE

  • Harvesting new boolean field scm_ip_security_restrictions_use_main to check if Source Control Manager (SCM) is configured; added a new Query Filter–Web App Configured To Use SCM—to identify whether the field is enabled. [ENG-20001]

Insights (22.10.19)

Updated Version 1.2.0 CIS Compliance Framework for Oracle Cloud We are delivering the updated version 1.2.0 CIS Compliance Framework for Oracle Cloud which includes several new controls. To help maintain compliance with these controls, we have delivered the following new Insights:

  • Access List Exposes SSH to the Public (NACL)

  • Access List Exposes Windows RDP to the Public (NACL)

  • Cloud Group With Administrative Access to Tenancy

  • Cloud User Authentication Tokens Older than 90 Days

  • Cloud User Secret Keys Older than 90 Days

  • Cloud User is Tenancy Administrator with API Key

  • Shared File System not Encrypted or Encrypted with Provider Default Keys

  • Storage Container Without Write Logging Configuration

With the new Insights, our coverage is 35 controls out of 42 automated controls for version 1.2.0 and 22 controls out of 38 automated controls for version 1.1.0. In the process of releasing this pack and adding new Insights, we updated the names of some existing Insights. The old > new names are:

  • Access List Exposes SSH to the Public > Access List Exposes SSH to the Public (SG)

  • Access List Exposes Windows RDP to the Public > Access List Exposes Windows RDP to the Public (SG)

  • Cloud Account Without Default Tags Defined At Root Compartment Level (Oracle) > Cloud Account Without Default Tags Defined at Root Compartment Level

  • Encryption Keys Managed By Customer (CMKs) Not Rotated Annually (Oracle) > Encryption Keys Managed by Customer not Rotated Annually [ENG-15518]

New Insight Pack for Privilege Escalation We have added Insight Pack **AWS Privilege Escalation Attacks** with 23 privilege escalation attacks Insights. [ENG-18594, ENG-20558]

  • Identity Resource Privilege Escalation by Accessing Jupyter Notebook

  • Identity Resource Privilege Escalation by Adding User to Group

  • Identity Resource Privilege Escalation by Attaching Group Policy

  • Identity Resource Privilege Escalation by Attaching Role Policy

  • Identity Resource Privilege Escalation by Attaching User Policy

  • Identity Resource Privilege Escalation by Changing the Assume Role Policy Document of any Role

  • Identity Resource Privilege Escalation by Changing Passwords on Other Users

  • Identity Resource Privilege Escalation by Creating an EC2 Instance with an Existing Instance Profile

  • Identity Resource Privilege Escalation by Creating a New Jupyter Notebook

  • Identity Resource Privilege Escalation by Creating Passwords for Other Users

  • Identity Resource Privilege Escalation by Creating Pipelines

  • Identity Resource Privilege Escalation by Creating New IAM Policy Version

  • Identity Resource Privilege Escalation by Creating New User Access Keys

  • Identity Resource Privilege Escalation by Creating or Updating Group Inline Policies

  • Identity Resource Privilege Escalation by Creating or Updating Inline Role Policies of any role

  • Identity Resource Privilege Escalation by Creating or Updating Inline User Policies of any User

  • Identity Resource Privilege Escalation by Passing a Role to New Lambda and Invoking it

  • Identity Resource Privilege Escalation by Passing a Role During Cloudformation Stack Creation

  • Identity Resource Privilege Escalation by Passing a Role to Glue Development Endpoint

  • Identity Resource Privilege Escalation by Setting Default Policy Versions On Any Policy

  • Identity Resource Privilege Escalation by Updating Glue Endpoint SSH Key

  • Identity Resource Privilege Escalation by Updating Lambda Layer with Malicious Code

  • Identity Resource Privilege Escalation by Updating Code that is Executed by Lambda Functions

Query Filters (22.10.19)

AWS

  • App Stream Fleet Platforms - New Query Filter identifies app stream fleet platforms. [ENG-19702]

  • App Stream Fleet Types - New Query Filter identifies app stream fleet types. [ENG-19702]

  • App Stream Fleet With Default Internet Access - New Query Filter identifies app stream fleet resources configured to allow default Internet access. [ENG-19702]

  • Identity Resource Allows Permission - New Query Filter returns the list of AWS IAM Users or IAM Roles who are granted any of the specified permissions. The filter also accepts a parameter to distinguish between Users and Roles which are granted the permission for all resources (“Resource”: ”*****”) vs those granted the permission at all. [ENG-18594]

  • Systems Manager Document Associated With Storage Container - Updated Query Filter to search for an association with a specific storage container (or not with a specific storage container). [ENG-20329]

AZURE

  • Serverless Function Exposed To Public Via Parent Web App - New Query Filter checks that the parent Function App of any Serverless Function in Azure is public, as functions are contained via their parent function app. [ENG-15497]

  • Web App Configured To Use SCM - New Query Filter identifies Azure App Services with Source Control Manager (SCM). [ENG-20001]

MULTI-CLOUD/GENERAL

  • Network Resource Without Traffic Logging Configured - Updated Query Filter ignores shared VPCs when they are in the shared-with account. [ENG-20530]

  • Storage Container Logging/Not Logging To Specific Storage Container - We have updated (and renamed) the Query Filter Storage Container Logging To Specific Bucket to support its inverse. [ENG-20330]

Bot Actions (22.10.19)

  • “Set LPA Remediation Policy” - New Bot action sets LPA Remediation policy for selected principal. [ENG-18473]

    • As part of the LPA feature we want to allow customers to remediate potentially risky principals. If a customer has identified a principal that seems to have an over-permissive set of policies, this Bot action allows them to generate and attach an inline policy to that principal which will remediate the risk using a combination of Deny and notAction.

    • The user will use a query filter to find the name principal they wish to remediate and the bot action will analyze that principal’s cloudtrail logs over the last 90 days to determine any unused permissions. It will then generate a policy that denies all actions except the ones which the principal has used in the last 90 days, effectively removing the principal’s access to the unused permissions. It will then attach this policy to the principal as an Inline Policy.

Bug Fixes (22.10.19)

  • Fixed error in IAM calculations for customers who use any of the following context keys in an identity policy – “saml:iss”, “saml:aud”, and “www.amazon.com:app_id”. These context keys were improperly included without being fully implemented. [ENG-20459]

  • Fixed bug in IAM analysis at the principal level that did not fully capture all the permission boundaries, service control policies, and identity policies in play when multiple identity policies contained “Action”: ”*****”. This led to some inaccurate results on all AWS IAM features when at least one such policy is conditional based on the resource but another is not. All customers that rely on LPA features will see more accurate lists of permitted actions. [ENG-20438]

  • Fixed a bug in the underlying analysis for LPA features that list permitted actions, specifically improperly expanding allowed actions containing “star” (“*****”) into all possible actions documented by AWS. [ENG-20438]

  • Fixed a bug in the underlying analysis for LPA features that list permitted actions, specifically improperly including actions that are restricted by Condition elements when the Resource element is ”*****”. [ENG-20438]

Access Explorer (Cloud IAM Governance) (22.10.19)

Cloud IAM Governance Bug Fixes (22.10.19)

  • Improved accuracy of results on the list of resources accessible by a given principal. [ENG-20438]

  • Resolved an issue around multiple action prefixes with maximum boundaries: For resource types that can be accessed through multiple services, such as IAM roles, cross-service actions that were Denied in a permission boundary were sometimes being marked as Allowed when resolved with identity policies that attempted to allow the same cross-service action. [ENG-19737]